Assessing Security, Privacy, User Interaction, and Accessibility Features in Popular E-Payment Applications
Pages 143 - 157
Abstract
Mobile payment applications facilitate quick digital transactions; thus, evaluating these applications for security, privacy, user interaction, and accessibility is crucial. In our study, we analyzed the most downloaded 50 mobile payment applications on Google Play Store. Thereafter, we used three open-source tools (MobSF, AndroBugs, and RiskInDroid) to assess their security and privacy features. We then employed Microsoft’s Accessibility Insights for accessibility analysis and evaluated 1,886,352 Google Play Store reviews, specifically 90,494 with negative sentiments [score < = 0], to understand user interaction issues. Our analysis shows that at least one security vulnerability, such as those associated with SSL, digital certificates, third-party libraries, weak encryption methods, and network configurations, exists in each application. We also find that both user-reported and tool-detected issues compromise privacy protection principles, such as data minimization, transparency, and purpose limitation. Additionally, we identify 2,768 accessibility issues, mainly relating to touch input sizes, accessible names of view objects, and meaningful alternative text for images. Also, of privacy and security concerns originate from user account access issues, while of usability concerns stem from app options not functioning as expected. Based on our findings, we propose recommendations to improve the overall robustness of these applications.
References
[1]
Yousra Aafer, Guanhong Tao, Jianjun Huang, Xiangyu Zhang, and Ninghui Li. 2018. Precise android api protection mapping derivation and reasoning. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. ACM, Toronto, Canada, 1151–1164.
[2]
Aijn Abraham, D Schlecht, G Ma, M Dobrushin, and V Nadal. 2016. Mobile security framework (MobSF).
[3]
Ashish Aggarwal and Pankaj Jalote. 2006. Integrating static and dynamic analysis for detecting vulnerabilities. In 30th Annual International Computer Software and Applications Conference (COMPSAC’06), Vol. 1. IEEE, IEEE, Chicago, Illinois, 343–350.
[4]
Chairul Anwar, Sultan Hady, Novi Rahayu, Kraugusteeliana Kraugusteeliana, 2023. The Application of Mobile Security Framework (MOBSF) and Mobile Application Security Testing Guide to Ensure the Security in Mobile Commerce Applications. Jurnal Sistim Informasi dan Teknologi 5, 2 (2023), 97–102.
[5]
Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. Acm Sigplan Notices 49, 6 (2014), 259–269.
[6]
Kathy Wain Yee Au, Yi Fan Zhou, Zhen Huang, and David Lie. 2012. Pscout: analyzing the android permission specification. In Proceedings of the 2012 ACM conference on Computer and communications security. Association for Computing MachineryNew YorkNYUnited States, Raleigh North Carolina USA, 217–228.
[7]
Mars Ballantyne, Archit Jha, Anna Jacobsen, J Scott Hawker, and Yasmine N El-Glaly. 2018. Study of accessibility guidelines of mobile applications. In Proceedings of the 17th international conference on mobile and ubiquitous multimedia. Association for Computing Machinery, Cairo, Egypt, 305–315.
[8]
Alexandre Bartel, Jacques Klein, Yves Le Traon, and Martin Monperrus. 2012. Automatically securing permission-based software by reducing the attack surface: An application to android. In Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering. Association for Computing MachineryNew YorkNYUnited States, Essen, Germany, 274–277.
[9]
Dong-Qi Cai, Xi Chen, Yu-Hong Han, Xin Yi, Jin-Ping Jia, Cong Cao, and Ling Fan. 2020. Implementation of an E-payment security evaluation system based on quantum blind computing. International Journal of Theoretical Physics 59, 9 (2020), 2757–2772.
[10]
Sen Chen, Lingling Fan, Guozhu Meng, Ting Su, Minhui Xue, Yinxing Xue, Yang Liu, and Lihua Xu. 2020. An empirical assessment of security risks of global android banking apps. In Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering. Association for Computing MachineryNew YorkNYUnited States, Seoul Republic of Korea, 1310–1322.
[11]
Sen Chen, Ting Su, Lingling Fan, Guozhu Meng, Minhui Xue, Yang Liu, and Lihua Xu. 2018. Are mobile banking apps secure? what can be improved?. In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. Association for Computing Machinery New York United States, Lake Buena Vista FL USA, 797–802.
[12]
Hesham Darvish and Mohammad Husain. 2018. Security analysis of mobile money applications on android. In 2018 IEEE International Conference on Big Data (Big Data). IEEE, IEEE, Seattle, WA, USA, 3072–3078.
[13]
Abdallah Dawoud and Sven Bugiel. 2021. Bringing balance to the force: Dynamic analysis of the android application framework. In Network and Distributed System Security Symposium. Network and Distributed System Security Symposium, Virtual, 1–18.
[14]
Erik Derr. 2018. The impact of third-party code on android app security. In Enigma 2018 (Enigma 2018). USENIX Association, Santa Clara, CA, USA.
[15]
Android Developers. 2022. Android Documentation: Security. https://developer.android.com/topic/security/.
[16]
Android Developers. 2023. Developer Guides: Android Developers. https://developer.android.com/guide/.
[17]
Zheran Fang, Weili Han, and Yingjiu Li. 2014. Permission based Android security: Issues and countermeasures. computers & security 43 (2014), 205–218.
[18]
Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, and David Wagner. 2011. Android permissions demystified. In Proceedings of the 18th ACM conference on Computer and communications security. Association for Computing Machinery New York NY United States, Toronto, Canada, 627–638.
[19]
Tânia Frazão and Carlos Duarte. 2020. Comparing accessibility evaluation plug-ins. In Proceedings of the 17th International Web for All Conference. Association for Computing Machinery New York NY United States, Taipei, Taiwan, 1–11.
[20]
Alessandra Gorla, Ilaria Tavecchia, Florian Gross, and Andreas Zeller. 2014. Checking App Behavior Against App Descriptions. In Proceedings of the 36th International Conference on Software Engineering. ACM, Association for Computing Machinery, Hyderabad India, 1025–1035.
[21]
Hamza Harkous, Sai Teja Peddinti, Rishabh Khandelwal, Animesh Srivastava, and Nina Taft. 2022. Hark: A Deep Learning System for Navigating Privacy Feedback at Scale. In 2022 IEEE Symposium on Security and Privacy (SP). IEEE, IEEE, SAN FRANCISCO, CA, 2469–2486.
[22]
Sameer Hayikader, FN Hadi, and Jamaludin Ibrahim. 2016. Issues and security measures of mobile banking Apps. International Journal of Scientific and Research Publications 6, 1 (2016), 36–41.
[23]
Johannes Huebner, Remo Manuel Frey, Christian Ammendola, Elgar Fleisch, and Alexander Ilic. 2018. What people like in mobile finance apps: An analysis of user reviews. In Proceedings of the 17th International Conference on Mobile and Ubiquitous Multimedia. Association for Computing Machinery, Cairo, Egypt, 293–304.
[24]
Michael Humbani and Melanie Wiese. 2019. An integrated framework for the adoption and continuance intention to use mobile payment apps. International Journal of Bank Marketing 37, 2 (2019), 646–664.
[25]
Muhammad Ikram, Narseo Vallina-Rodriguez, Suranga Seneviratne, Mohamed Ali Kaafar, and Vern Paxson. 2016. An analysis of the privacy and security risks of android vpn permission-enabled apps. In Proceedings of the 2016 internet measurement conference. Association for Computing Machinery, Santa Monica California USA, 349–364.
[26]
Arushi Jain 2016. Android security: Permission based attacks. In 2016 3rd International Conference on Computing for Sustainable Global Development (INDIACom). IEEE, IEEE, New Delhi, India, 2754–2759.
[27]
Seil Kim, Jae Ik Cho, Hee Won Myeong, and Dong Hoon Lee. 2012. A study on static analysis model of mobile application for privacy protection. In Computer Science and Convergence: CSA 2011 & WCC 2011 Proceedings, Vol. 114. Springer, Springer Netherlands, Jeju Island, Korea, 529–540.
[28]
Narmada Kohli and Mahsa Mohaghegh. 2020. Security Testing Of Android Based Covid Tracer Applications. In 2020 IEEE Asia-Pacific Conference on Computer Science and Data Engineering (CSDE). IEEE, IEEE, Gold Coast, Australia, 1–6.
[29]
Grace LaMalva and Suzanna Schmeelk. 2020. MobSF: Mobile Health Care Android Applications Through The Lens of Open Source Static Analysis. In 2020 IEEE MIT Undergraduate Research Technology Conference (URTC). IEEE, IEEE, Virtual, 1–4.
[30]
Yuejun Li, Xiao Feng, and Shuwu Zhang. 2016. Detecting fake reviews utilizing semantic and emotion model. In 2016 3rd international conference on information science and control engineering (ICISCE). IEEE, IEEE, Beijing, China, 317–320.
[31]
Francisco Liébana-Cabanillas, Francisco Muñoz-Leiva, and Juan Sánchez-Fernández. 2018. A global approach to the analysis of user behavior in mobile payment systems in the new electronic environment. Service Business 12, 1 (2018), 25–64.
[32]
Yu-Cheng Lin. 2015. Androbugs framework: An android application security vulnerability scanner. Blackhat Europe 2015 (2015).
[33]
Kathrin Linck, Key Pousttchi, and Dietmar Georg Wiedemann. 2006. Security Issues in Mobile Payment from the Customer Viewpoint, In Proceedings of the Fourteenth European Conference on Information Systems, ECIS 2006, Göteborg, Sweden, 2006. University of Augsburg – Working Paper, 1085–1095.
[34]
Samin Yaseer Mahmud, Akhil Acharya, Benjamin Andow, William Enck, and Bradley Reaves. 2020. Cardpliance: PCI DSS compliance of android applications. In Proceedings of the 29th USENIX Conference on Security Symposium. USENIX Association, Wilmington, DE, USA, 1517–1533.
[35]
Yichuan Man, Cuiyun Gao, Michael R Lyu, and Jiuchun Jiang. 2016. Experience report: Understanding cross-platform app issues from user reviews. In 2016 IEEE 27th international symposium on software reliability engineering (ISSRE). IEEE, IEEE, Ottawa, ON, Canada, 138–149.
[36]
Delvani Antônio Mateus, Carlos Alberto Silva, Marcelo Medeiros Eler, and André Pimenta Freire. 2020. Accessibility of mobile applications: evaluation by users with visual impairment and by automated tools. In Proceedings of the 19th Brazilian Symposium on Human Factors in Computing Systems. Association for Computing Machinery, Diamantina, Brazil, 1–10.
[37]
Stuart McIlroy, Nasir Ali, Hammad Khalid, and Ahmed E Hassan. 2016. Analyzing and automatically labelling the types of user issues that are raised in mobile app reviews. Empirical Software Engineering 21, 3 (2016), 1067–1106.
[38]
Alessio Merlo and Gabriel Claudiu Georgiu. 2017. Riskindroid: Machine learning-based risk analysis on android. In Ifip international conference on ict systems security and privacy protection. Springer, Information Security and Privacy Protection in Information Processing Systems, Poznan, Poland, 538–552.
[39]
Microsoft. 2022. Accessibility Insights. https://accessibilityinsights.io/.
[40]
Adrian Micu, Angela Eliza Micu, Marius Geru, and Radu Constantin Lixandroiu. 2017. Analyzing user sentiment in social media: Implications for online marketing strategy. Psychology & Marketing 34, 12 (2017), 1094–1100.
[41]
Stylianos Monogios, Kyriakos Magos, Konstantinos Limniotis, Nicholas Kolokotronis, and Stavros Shiaeles. 2022. Privacy issues in Android applications: the cases of GPS navigators and fitness trackers. International Journal of Electronic Governance 14, 1-2 (2022), 83–111.
[42]
Arjun Mukherjee, Bing Liu, and Natalie Glance. 2012. Spotting fake reviewer groups in consumer reviews. In Proceedings of the 21st international conference on World Wide Web. Association for Computing Machinery, Lyon, France, 191–200.
[43]
Shradha Neupane, Faiza Tazi, Upakar Paudel, Freddy Veloz Baez, Merzia Adamjee, Lorenzo De Carli, Sanchari Das, and Indrakshi Ray. 2022. On the Data Privacy, Security, and Risk Postures of IoT Mobile Companion Apps. In IFIP Annual Conference on Data and Applications Security and Privacy. Springer, IFIP Annual Conference on Data and Applications Security and Privacy, Newark, NJ, USA, 162–182.
[44]
Duc Cuong Nguyen, Erik Derr, Michael Backes, and Sven Bugiel. 2019. Short text, large effect: Measuring the impact of user reviews on android app security & privacy. In 2019 IEEE symposium on Security and Privacy (SP). IEEE, IEEE, SAN FRANCISCO, CA, 555–569.
[45]
Abu Saleh Md Noman, Sanchari Das, and Sameer Patil. 2019. Techies against Facebook: understanding negative sentiment toward Facebook via user generated content. In Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems. ACM, Glasgow Scotland Uk, 1–15.
[46]
Tae Oh, Bill Stackpole, Emily Cummins, Carlos Gonzalez, Rahul Ramachandran, and Shinyoung Lim. 2012. Best security practices for android, blackberry, and iOS. In 2012 The First IEEE Workshop on Enabling Technologies for Smartphone and Internet of Things (ETSIoT). IEEE, IEEE, Seoul, South Korea, 42–47.
[47]
Rahul Pandita, Xusheng Xiao, Wei Yang, William Enck, and Tao Xie. 2013. WHYPER: Towards Automating Risk Assessment of Mobile Applications. In USENIX Security Symposium. USENIX Association, USENIX Association, Washington, DC, 527–542.
[48]
Ingrid Pettersson, Florian Lachner, Anna-Katharina Frison, Andreas Riener, and Andreas Butz. 2018. A Bermuda triangle? A Review of method application and triangulation in user experience evaluation. In Proceedings of the 2018 CHI conference on human factors in computing systems. ACM, Montreal QC Canada, 1–16.
[49]
PyPI. 2023. Python Package Index. https://pypi.org/.
[50]
Joel Reardon, Álvaro Feal, Primal Wijesekera, Amit Elazari Bar On, Narseo Vallina-Rodriguez, and Serge Egelman. 2019. 50 ways to leak your data: An exploration of apps’ circumvention of the android permissions system. In 28th USENIX security symposium (USENIX security 19). USENIX Association, Santa Clara CA USA, 603–620.
[51]
Bradley Reaves, Jasmine Bowers, Sigmund Albert Gorski III, Olabode Anise, Rahul Bobhate, Raymond Cho, Hiranava Das, Sharique Hussain, Hamza Karachiwala, Nolen Scaife, 2016. * droid: Assessment and evaluation of android application analysis tools. ACM Computing Surveys (CSUR) 49, 3 (2016), 1–30.
[52]
Marco Rossetti, Fabio Stella, and Markus Zanker. 2016. Analyzing user reviews in tourism with topic models. Information Technology & Tourism 16, 1 (2016), 5–21.
[53]
Nayanamana Samarasinghe, Aashish Adhikari, Mohammad Mannan, and Amr Youssef. 2022. Et tu, brute? Privacy analysis of government websites and mobile apps. In Proceedings of the ACM Web Conference 2022. Association for Computing Machinery, Lyon, France, 564–575.
[54]
Aishwarya Surani, Amani Bawaked, Matthew Wheeler, Braden Kelsey, Nikki Roberts, David Vincent, and Sanchari Das. 2023. Security and Privacy of Digital Mental Health: An Analysis of Web Services and Mobile Applications. In IFIP Annual Conference on Data and Applications Security and Privacy. Springer, Springer, Sophia-Antipolis, France, 319–338.
[55]
Edward Tansen and Deris Wahyu Nurdiarto. 2020. Analisis dan Deteksi Malware dengan Metode Hybrid Analysis Menggunakan Framework MOBSF. (JurTI) Jurnal Teknologi Informasi 4, 2 (2020), 191–201.
[56]
Chuanqi Tao, Hongjing Guo, and Zhiqiu Huang. 2020. Identifying security issues for mobile applications based on user review summarization. Information and Software Technology 122 (2020), 106290.
[57]
Faiza Tazi, Suleiman Saka, Griffin Opp, Shradha Neupane, Sanchari Das, Lorenzo De Carli, and Indrakshi Ray. 2023. Accessibility Evaluation of IoT Android Mobile Companion Apps. In Extended Abstracts of the 2023 CHI Conference on Human Factors in Computing Systems. Association for Computing Machinery New York NY United States, Hamburg, Germany, 1–7.
[58]
Textblob. 2023. Simplified Text Processing. https://textblob.readthedocs.io/en/dev/.
[59]
Johann Vincent, Vincent Alimi, Aude Plateaux, Chrystel Gaber, and Marc Pasquet. 2012. A mobile payment evaluation based on a digital identity representation. In 2012 International Conference on Collaboration Technologies and Systems (CTS). IEEE, IEEE, Denver, CO, 410–418.
[60]
Fei Wang, Nan Yang, P. Mohamed Shakeel, and Vijayalakshmi Saravanan. 2021. Machine learning for mobile network payment security evaluation system. Transactions on Emerging Telecommunications Technologies n/a, n/a (Jan. 2021), e4226.
[61]
Long Wang, Hiroyuki Nakagawa, and Tatsuhiro Tsuchiya. 2020. Opinion Analysis and Organization of Mobile Application User Reviews. In REFSQ Workshops. REFSQ, Virtual, 1–9.
[62]
Yaru Wang, Ning Zheng, Ming Xu, Tong Qiao, Qiang Zhang, Feipeng Yan, and Jian Xu. 2019. Hierarchical identifier: application to user privacy eavesdropping on mobile payment app. Sensors 19, 14 (2019), 3052.
[63]
Paweł Weichbroth and Anna Baj-Rogowska. 2019. Do online reviews reveal mobile application usability and user experience? The case of WhatsApp. In 2019 Federated Conference on Computer Science and Information Systems (FedCSIS). IEEE, IEEE, Leipzig, Germany, 747–754.
[64]
Sha Wu and Jiajia Liu. 2019. Overprivileged permission detection for android applications. In ICC 2019-2019 IEEE International Conference on Communications (ICC). IEEE, IEEE, Shanghai, China, 1–6.
[65]
Benjamin Yankson, Patrick CK Hung, Farkhund Iqbal, Liaqat Ali, 2021. Security assessment for Zenbo robot using Drozer and mobSF frameworks. In 2021 11th IFIP International Conference on New Technologies, Mobility and Security (NTMS). IEEE, IEEE, Paris, France, 1–7.
Index Terms
- Assessing Security, Privacy, User Interaction, and Accessibility Features in Popular E-Payment Applications
Recommendations
Enforcing fine-grained security and privacy policies in an ecosystem within an ecosystem
MobileDeLi 2015: Proceedings of the 3rd International Workshop on Mobile Development LifecycleSmart home automation and IoT promise to bring many advantages but they also expose their users to certain security and privacy vulnerabilities. For example, leaking the information about the absence of a person from home or the medicine somebody is ...
Investigation into the security and privacy of iOS VPN applications
ARES '20: Proceedings of the 15th International Conference on Availability, Reliability and SecurityDue to the increasing number of recommendations for people to use Virtual Private Networks (VPNs) to protect their privacy, more application developers are creating VPN applications and publishing them on the Apple App Store and Google Play Store. In ...
Security Analysis of Cordova Applications in Google Play
ARES '17: Proceedings of the 12th International Conference on Availability, Reliability and SecurityMobile Cross-Platform Tools (CPTs) provide an alternative to native application development that allows mobile app developers to drastically reduce the development time and cost when targeting multiple platforms. They allow sharing a significant part of ...
Comments
Information & Contributors
Information
Published In
October 2023
364 pages
ISBN:9798400708145
DOI:10.1145/3617072
Copyright © 2023 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 16 October 2023
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
EuroUSEC 2023
EuroUSEC 2023: The 2023 European Symposium on Usable Security
October 16 - 17, 2023
Copenhagen, Denmark
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 118Total Downloads
- Downloads (Last 12 months)118
- Downloads (Last 6 weeks)14
Reflects downloads up to
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign inFull Access
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML Format